ref: Use getApiURl() inside of static/app/view/{dashboards,discover}/*#106738
ref: Use getApiURl() inside of static/app/view/{dashboards,discover}/*#106738
getApiURl() inside of static/app/view/{dashboards,discover}/*#106738Conversation
github-actions
bot
added
the
Scope: Frontend
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| projectIdOrSlug: projectSlug!, | ||
| eventId: eventId!, | ||
| }, | ||
| } |
There was a problem hiding this comment.
Bug: The code unsafely splits eventSlug without validating it contains a colon. A malformed URL can cause eventId to be undefined, leading to an invalid API request.
Severity: MEDIUM
Suggested Fix
Before splitting eventSlug, add a guard to validate that it contains a colon. If the format is invalid, handle the error gracefully instead of proceeding with an unsafe split and non-null assertion.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: static/app/views/discover/eventDetails.tsx#L43
Potential issue: The `eventSlug` parameter from the URL is split by a colon to extract
`projectSlug` and `eventId`. However, there is no validation to ensure the slug contains
a colon. If a user navigates to a URL where `eventSlug` is missing a colon (e.g., a
malformed or manually entered URL), `eventSlug.split(':')` will result in `eventId`
being `undefined`. A non-null assertion `eventId!` is then used, which passes
`undefined` to `getApiUrl`. This constructs an invalid API endpoint like
`/organizations/.../events/project:undefined/`, leading to a 404 error.
Did we get this right? 👍 / 👎 to inform future reviews.
There was a problem hiding this comment.
IMO this is fine. Is the slug is malformed we've got bigger problems, and catching a Sentry exception here would be fine
There was a problem hiding this comment.
I'll take special care with this one, i think some decent type aware parsing will do the trick instead of letting it fail. it shouldn't be failing at all, just TS needs to know what's up
There was a problem hiding this comment.
it's matching against: r"^(?P<organization_id_or_slug>[^/]+)/events/(?P<project_id_or_slug>[^/]+):(?P<event_id>(?:\d+|[A-Fa-f0-9-]{32,36}))/$",
https://github.com/getsentry/sentry/blob/master/src/sentry/api/urls.py#L1708
the colon is mandatory in there. the JS won't throw, the only thing that can happen is the response fails with 404.
That should be covered because we're properly looking at the error return value. I think this is as good as before.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
gggritso
left a comment
gggritso
left a comment
There was a problem hiding this comment.
Looks good, thanks! There's one thing I agree with the robot on, and one thing I do not 👍🏻
| projectIdOrSlug: projectSlug!, | ||
| eventId: eventId!, | ||
| }, | ||
| } |
There was a problem hiding this comment.
IMO this is fine. Is the slug is malformed we've got bigger problems, and catching a Sentry exception here would be fine
…}/* (#106738) See: https://gist.github.com/ryan953/af5458fa4f89ae42cc19e8ea266b7e9a --------- Co-authored-by: getsantry[bot] <66042841+getsantry[bot]@users.noreply.github.com>
2 participants
See: https://gist.github.com/ryan953/af5458fa4f89ae42cc19e8ea266b7e9a